Update to 1.20.0

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0

Resolves: RHEL-36025

.gitignore

@@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.18.0.tar.gz.asc
 /unbound-1.19.0.tar.gz
 /unbound-1.19.0.tar.gz.asc
+/unbound-1.20.0.tar.gz
+/unbound-1.20.0.tar.gz.asc

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4
-SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580
+SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd
+SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad

unbound-1.19-b.root-servers.net-conf.patch

@@ -1,38 +0,0 @@
-From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Tue, 16 Jan 2024 16:13:29 +0100
-Subject: [PATCH] Update b.root-servers.net also in example config file
-
-Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which
-updated only address specified in code. But addresses provided in
-example configuration were not updated, I think they should be updated
-too.
----
- unbound-1.19.0/doc/example.conf.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
-index b79a322..3a15357 100644
---- a/unbound-1.19.0/doc/example.conf.in
-+++ b/unbound-1.19.0/doc/example.conf.in
-@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf
- # notifies.
- auth-zone:
- 	name: "."
--	primary: 199.9.14.201         # b.root-servers.net
-+	primary: 170.247.170.2        # b.root-servers.net
- 	primary: 192.33.4.12          # c.root-servers.net
- 	primary: 199.7.91.13          # d.root-servers.net
- 	primary: 192.5.5.241          # f.root-servers.net
-@@ -1211,7 +1211,7 @@ auth-zone:
- 	primary: 193.0.14.129         # k.root-servers.net
- 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
- 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--	primary: 2001:500:200::b      # b.root-servers.net
-+	primary: 2801:1b8:10::b       # b.root-servers.net
- 	primary: 2001:500:2::c        # c.root-servers.net
- 	primary: 2001:500:2d::d       # d.root-servers.net
- 	primary: 2001:500:2f::f       # f.root-servers.net
--- 
-2.43.0
-

unbound-1.19-b.root-servers.net.patch

@@ -1,35 +0,0 @@
-From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001
-From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
-Date: Wed, 6 Dec 2023 13:25:58 +0100
-Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in
- root hints.
-
----
- unbound-1.19.0/iterator/iter_hints.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c
-index a60d9a6..6b56daa 100644
---- a/unbound-1.19.0/iterator/iter_hints.c
-+++ b/unbound-1.19.0/iterator/iter_hints.c
-@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
- 	dp->has_parent_side_NS = 1;
-       if(do_ip4) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
-@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
-       }
-       if(do_ip6) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
--- 
-2.43.0
-

unbound-fedora-config.patch

@@ -1,4 +1,4 @@
-From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001
+From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 10 Nov 2023 12:58:31 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
@@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++-----------
- 1 file changed, 131 insertions(+), 74 deletions(-)
+ unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++----------
+ 1 file changed, 128 insertions(+), 71 deletions(-)
 
-diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
-index fe0dde6..b79a322 100644
---- a/unbound-1.19.0/doc/example.conf.in
-+++ b/unbound-1.19.0/doc/example.conf.in
+diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
+index 0368c8d..5873db5 100644
+--- a/unbound-1.20.0/doc/example.conf.in
++++ b/unbound-1.20.0/doc/example.conf.in
 @@ -17,11 +17,12 @@ server:
  	# whitespace is not necessary, but looks cleaner.
  
@@ -120,7 +120,7 @@ index fe0dde6..b79a322 100644
  
  	# use IP_FREEBIND so the interface: addresses can be non-local
  	# and you can bind to nonexisting IPs and interfaces that are down.
-@@ -256,6 +275,8 @@ server:
+@@ -276,6 +295,8 @@ server:
  	# nat64-prefix: 64:ff9b::0/96
  
  	# Enable UDP, "yes" or "no".
@@ -129,16 +129,16 @@ index fe0dde6..b79a322 100644
  	# do-udp: yes
  
  	# Enable TCP, "yes" or "no".
-@@ -281,7 +302,7 @@ server:
+@@ -301,7 +322,7 @@ server:
  	# tcp-idle-timeout: 30000
  
  	# Enable EDNS TCP keepalive option.
 -	# edns-tcp-keepalive: no
 +	edns-tcp-keepalive: yes
  
- 	# Timeout for EDNS TCP keepalive, in msec.
- 	# edns-tcp-keepalive-timeout: 120000
-@@ -290,6 +311,9 @@ server:
+ 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
+ 	# if edns-tcp-keepalive is set.
+@@ -311,6 +332,9 @@ server:
  	# can be dropped. Default is 0, disabled. In seconds, such as 3.
  	# sock-queue-timeout: 0
  
@@ -148,7 +148,7 @@ index fe0dde6..b79a322 100644
  	# Use systemd socket activation for UDP, TCP, and control sockets.
  	# use-systemd: no
  
-@@ -402,6 +426,7 @@ server:
+@@ -424,6 +448,7 @@ server:
  	#
  	# If you give "" no chroot is performed. The path must not end in a /.
  	# chroot: "@UNBOUND_CHROOT_DIR@"
@@ -156,7 +156,7 @@ index fe0dde6..b79a322 100644
  
  	# if given, user privileges are dropped (after binding port),
  	# and the given username is assumed. Default is user "unbound".
-@@ -413,7 +438,7 @@ server:
+@@ -435,7 +460,7 @@ server:
  	# is not changed.
  	# If you give a server: directory: dir before include: file statements
  	# then those includes can be relative to the working directory.
@@ -165,7 +165,7 @@ index fe0dde6..b79a322 100644
  
  	# the log file, "" means log to stderr.
  	# Use of this option sets use-syslog to "no".
-@@ -428,7 +453,7 @@ server:
+@@ -450,7 +475,7 @@ server:
  	# log-identity: ""
  
  	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
@@ -174,7 +174,7 @@ index fe0dde6..b79a322 100644
  
  	# print one line with time, IP, name, type, class for every query.
  	# log-queries: no
-@@ -497,22 +522,22 @@ server:
+@@ -522,22 +547,22 @@ server:
  	# harden-large-queries: no
  
  	# Harden against out of zone rrsets, to avoid spoofing attempts.
@@ -201,7 +201,7 @@ index fe0dde6..b79a322 100644
  
  	# Harden against algorithm downgrade when multiple algorithms are
  	# advertised in the DS record.  If no, allows the weakest algorithm
-@@ -526,7 +551,7 @@ server:
+@@ -551,7 +576,7 @@ server:
  	# Sent minimum amount of information to upstream servers to enhance
  	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
  	# to A when possible.
@@ -210,7 +210,7 @@ index fe0dde6..b79a322 100644
  
  	# QNAME minimisation in strict mode. Do not fall-back to sending full
  	# QNAME to potentially broken nameservers. A lot of domains will not be
-@@ -536,7 +561,7 @@ server:
+@@ -561,7 +586,7 @@ server:
  
  	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  	# and other denials, using information from previous NXDOMAINs answers.
@@ -219,7 +219,7 @@ index fe0dde6..b79a322 100644
  
  	# Use 0x20-encoded random bits in the query to foil spoof attempts.
  	# This feature is an experimental implementation of draft dns-0x20.
-@@ -569,7 +594,7 @@ server:
+@@ -594,7 +619,7 @@ server:
  	# threshold, a warning is printed and a defensive action is taken,
  	# the cache is cleared to flush potential poison out of it.
  	# A suggested value is 10000000, the default is 0 (turned off).
@@ -228,7 +228,7 @@ index fe0dde6..b79a322 100644
  
  	# Do not query the following addresses. No DNS queries are sent there.
  	# List one address per entry. List classless netblocks with /size,
-@@ -581,20 +606,20 @@ server:
+@@ -606,20 +631,20 @@ server:
  	# do-not-query-localhost: yes
  
  	# if yes, perform prefetching of almost expired message cache entries.
@@ -254,7 +254,7 @@ index fe0dde6..b79a322 100644
  
  	# true to disable DNSSEC lameness check in iterator.
  	# disable-dnssec-lame-check: no
-@@ -604,7 +629,9 @@ server:
+@@ -629,7 +654,9 @@ server:
  	# most modules have to be listed at the beginning of the line,
  	# except cachedb(just before iterator), and python (at the beginning,
  	# or, just before the iterator).
@@ -265,7 +265,7 @@ index fe0dde6..b79a322 100644
  
  	# File with trusted keys, kept uptodate using RFC5011 probes,
  	# initial file like trust-anchor-file, then it stores metadata.
-@@ -618,10 +645,10 @@ server:
+@@ -643,10 +670,10 @@ server:
  	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
  
  	# trust anchor signaling sends a RFC8145 key tag query after priming.
@@ -278,7 +278,7 @@ index fe0dde6..b79a322 100644
  
  	# File with trusted keys for validation. Specify more than one file
  	# with several entries, one file per entry.
-@@ -642,6 +669,9 @@ server:
+@@ -667,6 +694,9 @@ server:
  	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
  	# you need external update procedures to track changes in keys.
  	# trusted-keys-file: ""
@@ -288,7 +288,7 @@ index fe0dde6..b79a322 100644
  
  	# Ignore chain of trust. Domain is treated as insecure.
  	# domain-insecure: "example.com"
-@@ -669,14 +699,15 @@ server:
+@@ -694,14 +724,15 @@ server:
  	# unsecure data. Useful to shield the users of this validator from
  	# potential bogus data in the additional section. All unsigned data
  	# in the additional section is removed from secure messages.
@@ -306,7 +306,7 @@ index fe0dde6..b79a322 100644
  
  	# Ignore the CD flag in incoming queries and refuse them bogus data.
  	# Enable it if the only clients of Unbound are legacy servers (w2008)
-@@ -690,11 +721,11 @@ server:
+@@ -715,11 +746,11 @@ server:
  
  	# Serve expired responses from cache, with serve-expired-reply-ttl in
  	# the response, and then attempt to fetch the data afresh.
@@ -320,7 +320,7 @@ index fe0dde6..b79a322 100644
  	#
  	# Set the TTL of expired records to the serve-expired-ttl value after a
  	# failed attempt to retrieve the record from upstream. This makes sure
-@@ -721,7 +752,7 @@ server:
+@@ -746,7 +777,7 @@ server:
  
  	# Have the validator log failed validations for your diagnosis.
  	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@@ -329,7 +329,7 @@ index fe0dde6..b79a322 100644
  
  	# It is possible to configure NSEC3 maximum iteration counts per
  	# keysize. Keep this table very short, as linear search is done.
-@@ -865,6 +896,8 @@ server:
+@@ -890,6 +921,8 @@ server:
  	# you need to do the reverse notation yourself.
  	# local-data-ptr: "192.0.2.3 www.example.com"
  
@@ -338,7 +338,7 @@ index fe0dde6..b79a322 100644
  	# tag a localzone with a list of tag names (in "" with spaces between)
  	# local-zone-tag: "example.com" "tag2 tag3"
  
-@@ -875,8 +908,8 @@ server:
+@@ -900,8 +933,8 @@ server:
  	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
  	# Give the certificate to use and private key.
  	# default is "" (disabled).  requires restart to take effect.
@@ -349,7 +349,7 @@ index fe0dde6..b79a322 100644
  	# tls-port: 853
  	# https-port: 443
  
-@@ -884,6 +917,8 @@ server:
+@@ -909,6 +942,8 @@ server:
  	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
  	# cipher setting for TLSv1.3
  	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
@@ -358,8 +358,8 @@ index fe0dde6..b79a322 100644
  
  	# Pad responses to padded queries received over TLS
  	# pad-responses: yes
-@@ -1005,12 +1040,12 @@ server:
- 	# fast-server-num: 3
+@@ -1045,12 +1080,12 @@ server:
+ 	# cookie-secret: <128 bit random hex string>
  
  	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 -	# ede: no
@@ -373,7 +373,7 @@ index fe0dde6..b79a322 100644
  
  	# Specific options for ipsecmod. Unbound needs to be configured with
  	# --enable-ipsecmod for these to take effect.
-@@ -1018,12 +1053,14 @@ server:
+@@ -1058,12 +1093,14 @@ server:
  	# Enable or disable ipsecmod (it still needs to be defined in
  	# module-config above). Can be used when ipsecmod needs to be
  	# enabled/disabled via remote-control(below).
@@ -391,7 +391,7 @@ index fe0dde6..b79a322 100644
  	# When enabled Unbound will reply with SERVFAIL if the return value of
  	# the ipsecmod-hook is not 0.
  	# ipsecmod-strict: no
-@@ -1056,7 +1093,7 @@ server:
+@@ -1096,7 +1133,7 @@ server:
  # o and give a python-script to run.
  python:
  	# Script file to load
@@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644
  
  # Dynamic library config section. To enable:
  # o use --with-dynlibmodule to configure before compiling.
-@@ -1067,13 +1104,18 @@ python:
+@@ -1107,13 +1144,18 @@ python:
  #   the module-config then you need one dynlib-file per instance.
  dynlib:
  	# Script file to load
@@ -421,7 +421,7 @@ index fe0dde6..b79a322 100644
  
  	# what interfaces are listened to for remote control.
  	# give 0.0.0.0 and ::0 to listen to all interfaces.
-@@ -1087,19 +1129,22 @@ remote-control:
+@@ -1127,19 +1169,22 @@ remote-control:
  
  	# for localhost, you can disable use of TLS by setting this to "no"
  	# For local sockets this option is ignored, and TLS is not used.
@@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644
  
  # Stub zones.
  # Create entries like below, to make all queries for 'example.com' and
-@@ -1121,6 +1166,10 @@ remote-control:
+@@ -1161,6 +1206,10 @@ remote-control:
  #	name: "example.org"
  #	stub-host: ns.example.com.
  
@@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644
  # Forward zones
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1138,6 +1187,10 @@ remote-control:
+@@ -1178,6 +1227,10 @@ remote-control:
  # forward-zone:
  # 	name: "example.org"
  # 	forward-host: fwd.example.com
@@ -471,16 +471,13 @@ index fe0dde6..b79a322 100644
  
  # Authority zones
  # The data for these zones is kept locally, from a file or downloaded.
-@@ -1145,30 +1198,31 @@ remote-control:
- # upstream (which saves a lookup to the upstream).  The first example
- # has a copy of the root for local usage.  The second serves example.org
- # authoritatively.  zonefile: reads from file (and writes to it if you also
--# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
--# With allow-notify: you can give additional (apart from primaries and urls)
--# sources of notifies.
+@@ -1188,27 +1241,28 @@ remote-control:
+ # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
+ # With allow-notify: you can give additional (apart from primaries and urls)
+ # sources of notifies.
 -# auth-zone:
 -#	name: "."
--#	primary: 199.9.14.201         # b.root-servers.net
+-#	primary: 170.247.170.2        # b.root-servers.net
 -#	primary: 192.33.4.12          # c.root-servers.net
 -#	primary: 199.7.91.13          # d.root-servers.net
 -#	primary: 192.5.5.241          # f.root-servers.net
@@ -488,7 +485,7 @@ index fe0dde6..b79a322 100644
 -#	primary: 193.0.14.129         # k.root-servers.net
 -#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 -#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--#	primary: 2001:500:200::b      # b.root-servers.net
+-#	primary: 2801:1b8:10::b       # b.root-servers.net
 -#	primary: 2001:500:2::c        # c.root-servers.net
 -#	primary: 2001:500:2d::d       # d.root-servers.net
 -#	primary: 2001:500:2f::f       # f.root-servers.net
@@ -499,12 +496,9 @@ index fe0dde6..b79a322 100644
 -#	fallback-enabled: yes
 -#	for-downstream: no
 -#	for-upstream: yes
-+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
-+# With allow-notify: you can give additional (apart from masters) sources of
-+# notifies.
 +auth-zone:
 +	name: "."
-+	primary: 199.9.14.201         # b.root-servers.net
++	primary: 170.247.170.2        # b.root-servers.net
 +	primary: 192.33.4.12          # c.root-servers.net
 +	primary: 199.7.91.13          # d.root-servers.net
 +	primary: 192.5.5.241          # f.root-servers.net
@@ -512,7 +506,7 @@ index fe0dde6..b79a322 100644
 +	primary: 193.0.14.129         # k.root-servers.net
 +	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 +	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-+	primary: 2001:500:200::b      # b.root-servers.net
++	primary: 2801:1b8:10::b       # b.root-servers.net
 +	primary: 2001:500:2::c        # c.root-servers.net
 +	primary: 2001:500:2d::d       # d.root-servers.net
 +	primary: 2001:500:2f::f       # f.root-servers.net
@@ -527,7 +521,7 @@ index fe0dde6..b79a322 100644
  # auth-zone:
  #	name: "example.org"
  #	for-downstream: yes
-@@ -1194,6 +1248,9 @@ remote-control:
+@@ -1234,6 +1288,9 @@ remote-control:
  #	name: "anotherview"
  #	local-zone: "example.com" refuse
  
@@ -537,7 +531,7 @@ index fe0dde6..b79a322 100644
  # DNSCrypt
  # To enable, use --enable-dnscrypt to configure before compiling.
  # Caveats:
-@@ -1266,7 +1323,7 @@ remote-control:
+@@ -1309,7 +1366,7 @@ remote-control:
  # 	dnstap-enable: no
  # 	# if set to yes frame streams will be used in bidirectional mode
  # 	dnstap-bidirectional: yes
@@ -547,5 +541,5 @@ index fe0dde6..b79a322 100644
  # 	# set it to "IPaddress[@port]" of the destination.
  # 	dnstap-ip: ""
 -- 
-2.41.0
+2.45.2
 

unbound.spec

@@ -30,7 +30,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.19.0
+Version: 1.20.0
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -57,11 +57,6 @@ Source20: unbound.sysusers
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2253461
-# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6
-Patch2:   unbound-1.19-b.root-servers.net.patch
-# https://github.com/NLnetLabs/unbound/pull/993
-Patch3:   unbound-1.19-b.root-servers.net-conf.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel